9.28.20 – CBC
Weak laws leave thousands vulnerable, former privacy commissioner says.
The message came out of the blue for Taylor Fornell. A stranger told her he had complete control over the home security system in her new house in Stony Plain, Alta., and could prove it.
As she stood alone in her front hall, she watched in disbelief as the man unarmed the system, unlocked doors and windows and told her he could track when she left the house — all with a few clicks on the security company’s app.
“I felt a little sick to my stomach … It’s just really creepy and a breach of trust,” Fornell told Go Public, referring to Vivint, the security company that installed and ran the system.
Fornell was lucky. The stranger who connected with her on Facebook was the former owner of the house.
Rob Hall wanted to warn her he still had control over the security system, despite asking the company to cancel the service weeks before Fornell moved in.
Security and privacy experts say the situation is the result of weak laws and cancellation policies that are written to boost companies’ bottom lines instead of protecting customers.
“It’s so frustrating that consumers should have to be the ones to pick up the slack on how to protect their privacy. It’s outrageous,” said privacy advocate and former Ontario privacy commissioner Ann Cavoukian.
She said security companies should be required to cancel their services as soon as “you depart from the home, should you sell it or something.”
‘She kind of freaked out’
When Hall moved out, the security equipment was left behind. He had no idea he would still be able to control it after he handed over the keys.
He said Fornell “kind of freaked out because she was literally standing in her new house watching all the doors unlocking.”
Hall’s contract with Vivint had already expired when he called on May 21, requesting the service be cut off. He also sent an email that same day confirming his request.
On June 17, he realized he could still control the security system and contacted Fornell.
Go Public spoke with three others who say they had the same experience with Vivint after selling or buying a home. All posted their stories on a private community Facebook page after reading what happened to Hall.
“I just thought that was absolutely crazy,” Hall said.
Hall says he called the company again the day he showed Fornell he still had access, and was told he’d have to wait a few more days before it would be cut off.
“I said, ‘So you’re going to give me access to somebody else’s house? I literally could go on the app, I could watch them leave the house, then I could walk up to the front door, unlock it, disarm the system, walk and steal everything in the place because an alarm company gave me access.'”
Hall says that’s when Vivint deactivated the app, a process which took less than 30 seconds.
Vivint says its policy requires 30 days’ notice for cancellation but says it can cut off access right away if needed. The company says Hall didn’t provide a move-out date when he cancelled the service and the company representative didn’t ask.
The company said “that step was overlooked” by its representatives in all the cases Go Public asked about.
“Our company policy is to confirm this timing but that step was overlooked in the cases you have shared … We have reviewed our process to ensure these situations are handled per our policies moving forward,” spokesperson Liz Tanner told Go Public in an email
She added that the company honoured the terms of the customer agreement in all the cases.
Home security systems are big business in Canada, $2.6-billion a year according to IBISWorld, a private company that provides statistics and research on Canadian industries. That same report found Vivint is on track to have the second largest share of the national security system market by the end of 2020, after ADT.
It’s also an industry with a lot of privacy and security issues, according to Kevvie Fowler from the consultancy firm Deloitte, who has 25 years’ experience as a software developer and a security expert and who works with companies to prevent and recover from security breaches.
For example, Fowler says cancellation policies — which can range from 30 days to six months or more depending on the company — aren’t written with privacy and security in mind, but to increase sales.
“It’s advantageous for the monitoring companies not to cancel your service with the hopes that the new homeowner will actually come on board and sign up to the service … that’s why they focus on the contract and having that extended period of time to actually cancel the service,” he said.
Vivint says that’s not the case with its contracts, saying it requires 30 days to cancel so customers can find another provider or move out of the house or continue to protect a vacant property during a sale.
None of those reasons apply to Hall or the other Vivint customers Go Public spoke with.
Fowler says he’s seen a lot of situations when people have had access to home security systems who shouldn’t — including access to cameras and microphones in and outside a house.
Couple taunted by hacker
Problems with security systems have been well documented. CBC Marketplace exposed problems with some security devices.
Arjun and Jessica Sud learned that firsthand. In January 2019, a stranger was able to hack into the Lake Barrington, Ill., couple’s Google Nest security system, verbally taunting them through their security cameras, after cranking up the heat in their seven-month old son’s bedroom to 32 C as a prank, the couple told Go Public.
WATCH | Homeowners confront digital intruder (Warning: graphic language):
WATCH | Home owners confront digital intruder (Warning: graphic language)
13 days ago1:18Arjun and Jessie Sud of Barrington Lake, Illinois heard a voice in their baby’s bedroom in January 2019 and discovered a hacker watching them via their home security system. 1:18
“The camera that was up on the wall in the living room lights up and a man’s voice starts talking to me. I was horrified. My hair still stands up when I talk about it,” Sud said.
He says he and his wife immediately disconnected all the cameras and complained to the company.
Privacy laws out of date
Cavoukian, the former privacy commissioner, says Canada’s weak privacy laws, which were passed 20 years ago, are a troubling part of the problem.
She says the law should require privacy protection rules to be written into every aspect of business, including contracts and policies, a concept she developed called “privacy by design.”
Without that, she says Canadians are often left with a false sense of security.
“Our privacy law, [the Personal Information Protection and Electronic Documents Act] is so outdated. Our federal privacy commissioner has been trying to get the federal government to upgrade it and modernize it for years,” she said.
Taylor Fornell and Rob Hall would also like to see stronger laws and see companies be upfront about how they protect customers’ safety and privacy.
Fornell says she was considering signing up with Vivint before Hall let her know what was happening.
“It was crazy that someone who didn’t have keys to my front door could unlock my house without even being on my street,” she said.
“If [Hall] was somebody else, if he wasn’t an honest person, he could have come in and done who knows what.”
Submit your story ideas
Go Public is an investigative news segment on CBC-TV, radio and the web.
We tell your stories, shed light on wrongdoing, and hold the powers that be accountable.
If you have a story in the public interest, or if you’re an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
Follow @CBCGoPublic on Twitter.
ABOUT THE AUTHOR
Rosa Marchitelli is a national award winner for her investigative work. As co-host of the CBC News segment Go Public, she has a reputation for asking tough questions and holding companies and individuals to account. Rosa’s work is seen across CBC News platforms.